Privacy Policy

Last updated: March 12, 2026

1. Who We Are

Resume Mapper is operated by Code Wizard, a sole trader registered in Poland. We are the data controller for personal data collected about our Customers (account holders). For personal data of Candidates (individuals whose CVs are parsed through our Service), we act as a data processor on behalf of our Customers, who are the data controllers.

  • Service: resume-mapper.dev
  • Email: privacy@resume-mapper.dev
  • Legal entity: Code Wizard, Poland

2. Personal Data We Collect

2.1 Account Data (Customers)

  • Full name and email address (provided at registration or via OAuth provider).
  • Organisation name.
  • Authentication provider identifier (Google, Microsoft, GitHub, Apple, or email/password hash via Firebase Auth).
  • IP address and user-agent at login for security purposes.

2.2 Billing Data (Customers)

Payment details (card number, expiry, CVV) are collected and stored exclusively by Stripe, Inc. We receive only: Stripe Customer ID, Subscription ID, plan tier, and payment status indicators.

2.3 Usage Data (Customers)

  • Number of CV parses performed, per month.
  • API call logs (timestamp, HTTP status, response time) — no CV content.
  • Parse history metadata: file name, file type, file size, timestamp, success/failure flag.

2.4 Candidate Data (processed on behalf of Customers)

CV files submitted via the API or widget may contain: name, email, phone number, address, employment history, educational history, skills, and other information voluntarily included in a CV. This data is processed in-memory and not stored permanently — see Section 4.

2.5 Technical Data

  • Browser type and version, operating system (from user-agent header).
  • Referring URL.
  • Firebase authentication tokens (stored in browser local storage / IndexedDB).

3. Legal Basis and Purposes for Processing

We process personal data on the following legal bases under Article 6 GDPR:

Contract (Art. 6(1)(b))

  • Providing and operating the Service.
  • Processing payments and managing Subscriptions.
  • Issuing and revoking API Keys.
  • Delivering parse results and webhook transmissions.

Legitimate Interest (Art. 6(1)(f))

  • Fraud prevention and abuse detection.
  • Rate limiting and infrastructure security.
  • Sending service-critical transactional emails (billing issues, security alerts).
  • Aggregated analytics to improve Service performance.

Legal Obligation (Art. 6(1)(c))

  • Retaining billing records as required by Polish accounting law (5 years).
  • Responding to lawful requests from supervisory authorities.

4. CV Data Processing

When a Customer submits a CV file through the widget or API:

  • The file is received by our API endpoint over HTTPS/TLS.
  • The file content (or extracted text) is transmitted to OpenAI's API (GPT-4o-mini or GPT-4o) for structured data extraction. OpenAI processes this data as a sub-processor under a Data Processing Agreement; OpenAI does not use API-submitted data to train its models (as of the date of this Policy).
  • The structured Parsed Data (JSON) is returned to the API response and, if configured, POSTed to the Customer's Webhook endpoint.
  • The original CV file is NOT stored on our servers — it is discarded after processing.
  • A parse history log is created containing: file name, file type, file size, timestamp, and success/failure flag. This log does NOT contain CV content. It is retained for 90 days.
  • Parsed Data is NOT stored by Resume Mapper after being returned to the Customer.

5. Sub-processors and Third Parties

We share data with the following third-party service providers (sub-processors) to operate the Service. We have Data Processing Agreements in place with each:

OpenAI, L.L.C. (United States)

Purpose: AI inference for CV text extraction. Data shared: CV file content or extracted text. Transfer mechanism: Standard Contractual Clauses (EU SCCs). Privacy policy: openai.com/policies/privacy-policy

Google LLC / Firebase (United States)

Purpose: Authentication (Firebase Auth) and database (Firestore). Data shared: account data, organisation data, usage data, API keys. Transfer mechanism: Standard Contractual Clauses. Privacy policy: firebase.google.com/support/privacy

Stripe, Inc. (United States)

Purpose: Payment processing and subscription management. Data shared: billing data (collected directly by Stripe). Transfer mechanism: Standard Contractual Clauses / Stripe's own DPA. Privacy policy: stripe.com/privacy

Vercel, Inc. (United States)

Purpose: Cloud hosting and edge network for the web application. Data shared: request logs, IP addresses (transient). Transfer mechanism: Standard Contractual Clauses. Privacy policy: vercel.com/legal/privacy-policy

6. International Data Transfers

Resume Mapper is operated from Poland, within the European Economic Area (EEA). All sub-processors listed in Section 5 are based in the United States. Transfers of personal data to the United States are made on the basis of the European Commission's Standard Contractual Clauses (SCCs) as adopted under Decision 2021/914/EU. Copies of the applicable SCC arrangements are available upon request at privacy@resume-mapper.dev.

7. Data Retention

Account data

Retained for the duration of the active account. After account deletion or Subscription cancellation, data is retained for 90 days to enable reactivation, then permanently deleted.

Billing records

Retained for 5 years from the date of the transaction, as required by Polish accounting law (Polish Accounting Act).

Parse history logs

File metadata (name, type, size, timestamp, success flag) retained for 90 days, then automatically deleted.

CV files and Parsed Data

NOT retained. Discarded immediately after processing (CV files) or after API response (Parsed Data).

Rate-limit counters

Expire automatically after 24 hours (TTL) and contain no personal data.

Authentication tokens

Managed by Firebase Auth; session tokens expire per Firebase's default session policy.

8. Cookies and Local Storage

We use only strictly necessary cookies and browser storage. We do NOT use advertising, tracking, or analytics cookies.

  • Firebase Auth token: stored in browser IndexedDB / local storage to maintain your authenticated session. Necessary for the Service to function.
  • No third-party tracking pixels or advertising cookies are used.
  • We do not use Google Analytics, Facebook Pixel, or similar analytics services.

9. Your Rights under GDPR

If you are located in the European Economic Area, you have the following rights under the GDPR:

  • Right of access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17): Request deletion of your personal data ('right to be forgotten'), subject to legal retention obligations.
  • Right to restriction of processing (Art. 18): Request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interest.
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: File a complaint with the Polish supervisory authority — President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland — or with the supervisory authority in your country of residence.

10. California Privacy Rights (CCPA)

Resume Mapper is a B2B service. Personal data of California residents collected in a business-to-business context is exempt from most CCPA obligations. We do not sell personal information. If you are a California resident acting as an individual (not on behalf of a business), you may contact us at privacy@resume-mapper.dev to exercise rights under CCPA.

11. Security Measures

We implement the following technical and organisational security measures:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • API Keys are stored as hashed values in Firestore; the plain-text key is shown only once upon generation.
  • Firebase Auth enforces secure password requirements and supports multi-factor authentication options.
  • Access to production Firestore is restricted to authorised server-side functions and the Firebase Admin SDK.
  • Rate limiting (per-minute, per-organisation) protects against abuse and denial-of-service.
  • Security incidents affecting personal data will be reported to UODO within 72 hours as required by Art. 33 GDPR.

12. Children

The Service is intended exclusively for business use and is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected such data, we will delete it promptly. If you believe a child under 16 has submitted data, please contact privacy@resume-mapper.dev.

13. Changes to this Policy and Contact

We may update this Privacy Policy from time to time. Material changes will be notified by email to registered Customers at least 14 days before they take effect. The date of the most recent update is shown at the top of this page.

  • Data Controller: Code Wizard, Poland
  • Privacy/DPO contact: privacy@resume-mapper.dev
  • General contact: hello@resume-mapper.dev
  • Supervisory authority: UODO (uodo.gov.pl)